Kaspersky Warns Against AI-Generated Passwords on World Password Day

Kaspersky Sounds Alarm on AI Password Generators This World Password Day

The appeal is clear. Rather than struggling to come up with a strong password, users can simply ask AI, "Generate a secure password" and get an instant result. AI produces strings that look random, which helps avoid the human tendency to create predictable, dictionary-based passwords. But appearances can be deceptive, AI-generated passwords may not be as secure as they appear. Alexey Antonov, Data Science Team Lead at Kaspersky, tested this by generating 1,000 passwords using some of the more prominent and trusted LLMs including ChatGPT (from OpenAI), Llama (model from Meta group), DeepSeek (newcomer from China). "All of the models are aware that a good password consists of at least 12 characters, including uppercase and lowercase letters, numbers and symbols. They report this when generating passwords," says Antonov.

On World Password Day Kaspersky warns against AI password generation

How many passwords do you have? It could be more than you think. Most online services and apps require the user to create a password. Chances are many of those passwords are not being used daily and due to this overabundance, there's a high probability that many of the passwords are being reused. Poor password management is compounded by a reliance on common combinations of names, dictionary words and numerals. Not only are these passwords relatively easy to decipher, but if a cybercriminal gains access to a password on one site, that could result in access to a plethora of other sites. People are urged to create unique, random passwords to counter the vulnerability posed by using the same password multiple times. However, password creation and management can be an arduous task. To tackle the burden of password creation and management, people might be tempted to use large language models (LLMs) like ChatGPT, Llama or DeepSeek to generate their passwords. The appeal is clear. Rather than struggling to come up with a strong password, users can simply ask AI, "Generate a secure password" and get an instant result. AI produces strings that look random, which helps avoid the human tendency to create predictable, dictionary-based passwords. But appearances can be deceptive, AI-generated passwords may not be as secure as they appear. Alexey Antonov, Data Science Team Lead at Kaspersky, tested this by generating 1,000 passwords using some of the more prominent and trusted LLMs including ChatGPT (from OpenAI), Llama (model from Meta group), DeepSeek (newcomer from China). "All of the models are aware that a good password consists of at least 12 characters, including uppercase and lowercase letters, numbers and symbols. They report this when generating passwords," says Antonov. "DeepSeek and Llama sometimes generated passwords consisting of dictionary words, in which instead of some letters there are numbers of similar shape: S@d0w12, M@n@go3, B@n@n@7 (DeepSeek), K5yB0a8dS8, S1mP1eL1on (Lllama). Both of these models like to generate the password "password": P@ssw0rd, P@ssw0rd!23 (DeepSeek), P@ssw0rd1, P@ssw0rdV (Llama). Needless to say, such passwords are not safe," adds Antonov. The trick with substituting letters is known and is not difficult to 'brute force'. ChatGPT does not suffer from this problem and generates passwords looks like random ones. For example: qLUx@^9Wp#YZ LU#@^9WpYqxZ YLU@x#Wp9q^Z YLp^9W#qX@zv P@zq^XWLY#v9 v#@LqYXW^9pz X@9pYWq^#Lzv However, if you look closely, you can see patterns. For example, the number 9 is often encountered. Shown below is a histogram of all the symbols in 1000 generated passwords for ChatGPT - it is clear to see that almost all passwords out of 1000 contain the symbols x, p, l, L .... Frequency of characters used in passwords generated by ChatGPT This doesn't look like random letters at all. For Llama, the situation is slightly better: Llama likes the # symbol, the letters p, l, L. Frequency of characters used in passwords generated by Llama DeepSeek shows similar tendencies: Frequency of characters used in passwords generated by DeepSeek An ideal random generator would not prefer any letter. All symbols must appear approximately the same number of times. Also, the algorithms often neglected to insert a special character or digits into the password: 26% of passwords for ChatGPT, 32% for Llama and 29% for DeepSeek. While DeepSeek and Llama sometimes generated passwords shorter than 12 characters. Knowing these dependencies, cyber criminals can significantly speed up password brute force: i.e. rather than trying in order "aaa", "aab", "aac", .. "aba", "abb", "abc", ... "zzz", they could start with frequent combinations. In 2024, Antonov developed a machine learning algorithm to test password strength and found that almost 60% of passwords can be cracked in under an hour using modern GPUs or cloud-based cracking tools. When applied to AI-generated passwords, the results were alarming, they were far less secure than they appeared: 88% of DeepSeek and 87% of Llama generated passwords were not strong enough to withstand attack from sophisticated cyber criminals. While ChatGPT did a little better with 33% of passwords not strong enough to pass the Kaspersky test. "The problem is LLMs don't create true randomness. Instead, they mimic patterns from existing data, making their outputs predictable to attackers who understand how these models work, notes Antonov" Adopt more secure password management Rather than relying on AI, users should adopt dedicated password management software, such as Kaspersky Password Manager. These tools offer several key advantages. First, this type of software uses cryptographically secure generators to create passwords with no detectable patterns, ensuring true randomness. Second, all credentials are stored in a secure vault, protected by a single master password. This eliminates the need to remember hundreds of passwords while keeping them safe from breaches. Additionally, password managers provide auto-fill and synchronization across devices, streamlining logins without compromising security. Many also include breach monitoring, alerting users if their credentials appear in a data leak. While AI can assist with many tasks, password generation is not one of them. The patterns and predictability of LLM-created passwords make them vulnerable to cracking. Instead of taking shortcuts, invest in a reputable password manager, your first line of defense against cyber threats. In an era where data breaches are rampant, a strong, unique password for every account is non-negotiable.